Restricting roles, Role time restrictions, Role address restrictions – HP Integrated Lights-Out 3 User Manual

Restricting roles

Restrictions allow administrators to limit the scope of a role. A role grants rights only to users who
satisfy the role restrictions. Using restricted roles results in users who have dynamic rights that can
change based on the time of day or network address of the client.

NOTE:

When directories are enabled, access to a particular iLO is based on whether the user

has read access to a role object that contains the corresponding iLO object. This includes, but is
not limited to, the members listed in the role object. If the role is configured to allow inheritable
permissions to propagate from a parent, members of the parent that have read access privileges
will also have access to iLO. To view the access control list, navigate to Active Directory Users and
Computers, open the Properties page for the role object, and then click the Security tab. The
Advanced View must be enabled in MMC in order to view the Security tab.

For instructions on how to create network and time restrictions for a role, see

“Role Restrictions

tab” (page 179)

or

“Role Restrictions tab” (page 187)

.

Role time restrictions

Administrators can place time restrictions on LOM roles. Users are granted the rights specified for
the LOM devices listed in the role only if they are members of the role and meet the time restrictions
for the role. LOM devices use local host time to enforce time restrictions. If the LOM device clock
is not set, the role time restriction fails unless no time restrictions are specified for the role.

Role-based time restrictions can be met only if the time is set on the LOM device. The time is normally
set when the host is booted. The time setting can be maintained by configuring SNTP or by running
the agents in the host operating system, which allows the LOM device to compensate for leap
years and minimize clock drift with respect to the host. Events, such as unexpected power loss or
flashing LOM firmware, can cause the LOM device clock to not be set. Also, the host time must be
correct for the LOM device to preserve time across firmware flashes.

Role address restrictions

Role address restrictions are enforced by the LOM firmware, based on the client IP network address.
When the address restrictions are met for a role, the rights granted by the role apply.

Address restrictions can be difficult to manage if access is attempted across firewalls or through
network proxies. Either of these mechanisms can change the apparent network address of the
client, causing the address restrictions to be enforced in an unexpected manner.

User restrictions

You can restrict access using address or time restrictions.

User address restrictions

Administrators can place network address restrictions on a directory user account, which are
enforced by the directory server. For information about the enforcement of address restrictions on
LDAP clients, such as a user logging in to a LOM device, see the documentation for the directory
service.

Network address restrictions placed on the user in the directory might not be enforced in the
expected manner if the directory user logs in through a proxy server. When a user logs in to a
LOM device as a directory user, the LOM device attempts authentication to the directory as that
user, which means that address restrictions placed on the user account apply when the user is
accessing the LOM device. However, because the user is proxied at the LOM device, the network
address of the authentication attempt is that of the LOM device, not that of the client workstation.

IP address range restrictions

IP address range restrictions enable the administrator to specify network addresses that are granted
or denied access. The address range is typically specified in a low-to-high range format. An address

Directory-enabled remote management

193